hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Marcos Scriven (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HTTPCLIENT-1599) Need an alternative to the deprecated BasicScheme(ChallengeState)
Date Thu, 15 Jan 2015 21:51:34 GMT

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-1599?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14279347#comment-14279347

Marcos Scriven commented on HTTPCLIENT-1599:

Looking into this further, I thought it would be confusing for someone looking at this code
to see {{some-realm}}. What's that realm they'd ask?

I looked into the {{HttpClient}} code, and there's three places that realm could potentially
be accessed from:

* {{RFC2617Scheme.getParameters();}}
Only used in {{DigestScheme}} to add a parameter. Not used in any of the tests

* {{RFC2617Scheme.getParameter("realm");}}
Oddly used within {{DigestScheme}} rather than it's own {{getRealm()}} method

* {{RFC2617Scheme.getRealm();}}
Used in {{AuthenticationStrategyAdaptor}} which is deprecated
Used in {{AuthenticationStrategyImpl.select()}}, but defaults to {{AuthScope.ANY_REALM}} if

So, I think I've confirmed that the realm challenge is not used at all with {{BasicScheme}},
and yet one is forced to specify one. Is the best I can do just comment the line with "this
realm is not used"?

> Need an alternative to the deprecated BasicScheme(ChallengeState)
> -----------------------------------------------------------------
>                 Key: HTTPCLIENT-1599
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1599
>             Project: HttpComponents HttpClient
>          Issue Type: Improvement
>          Components: HttpClient
>    Affects Versions: 4.3.6
>            Reporter: Marcos Scriven
>            Priority: Minor
> The documentation for HttpClient 4 mentions the potential security issues around preemptive
> That notwithstanding, it provides the following solution (https://hc.apache.org/httpcomponents-client-ga/httpclient/examples/org/apache/http/examples/client/ClientPreemptiveBasicAuthentication.java)
> {code}
>          // Create AuthCache instance
>             AuthCache authCache = new BasicAuthCache();
>             // Generate BASIC scheme object and add it to the local
>             // auth cache
>             BasicScheme basicAuth = new BasicScheme();
>             authCache.put(target, basicAuth);
>             // Add AuthCache to the execution context
>             HttpClientContext localContext = HttpClientContext.create();
>             localContext.setAuthCache(authCache);
> {code}
> This works fine, except for proxy authentication. In {{BasicScheme}}, the authenticate
method checks the ChallengeState: 
> https://github.com/apache/httpclient/blob/trunk/httpclient/src/main/java/org/apache/http/impl/auth/BasicScheme.java#L173
> The solution thus would appear to be to set the ChallengeState to {{PROXY}}:
> {code}
> BasicScheme proxyScheme = new BasicScheme(ChallengeState.PROXY);
> {code}
> This works, but appears to have been deprecated, and there's no alternative way to set
this without first receiving a proxy auth challenge response.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org

View raw message